[security] Phishing: Bookmarks to the rescue?

[Ka-Ping Yee]

On Mon, 22 Jan 2007, Bob Wyman wrote:
> It seems to me that if "the core part of the strategy" is to get users to
> use bookmarks, then the strategy relies on merely hacking around limitations
> in today's browsers. This is, at best, a short term approach. However, I
> strongly believe that secure authentication and identity is sufficiently
> important that we should NOT be wasting our time on building hacks. Rather,
> we should be determining:
>
> * What are the best modifications that we can make to clients?
> * What can we do to get client developers to implement those modifications?

I think these are good long-term goals.  The difficulty with this
route is that modifying the client is relatively costly -- if it
turns out to be the wrong choice (e.g. ineffective, or defeated by
phishers' future adaptations) then we've wasted a huge amount of
political capital and user mindshare.

Some of the "hacks" are worthwhile as experiments because we can
find out how users will respond to them before taking the big risky
leap of a browser change, and they can guide us toward discovering
an effective browser modification with a big bang for the buck.

Firefox gives us a middle road -- browser extensions that can be
separately downloaded and installed.  This is a good way for new
approaches to be explored and road-tested.

And OpenID gives us the flexibility to try out different approaches,
also at much lower risk.

I don't believe we know the answer to your first question.  There's
a couple orders of magnitude more speculation and handwaving on this
topic than there is hard data (though so far, the data seems to
support most of the common pessimistic speculations).  So you could
consider these "hacks" as fitting into your proposed plan, since
they are part of finding an answer to your first question.


-- ?!ng